You can't extract MAC from SLAACed IPv6 due to privacy extensions (RFC 4941). I like one-VLAN-per customer idea, but it doesn't always scale (in some environments you'd run out of VLANs). Thanks! Ivan
-----Original Message----- From: ipv6-wg-bounces@ripe.net [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Tero Toikkanen Sent: Thursday, September 29, 2011 1:55 PM To: ipv6-wg@ripe.net Subject: Re: [ipv6-wg] End-host IPv6 address allocation on Carrier Ethernet
#2 - use SLAAC and don't care ============================= Consumer hosts will get random IPv6 addresses out of your Carrier Ethernet /64 prefix. Can you afford the "don't care" part of it?
We provide a static /64 with SLAAC per connection, but allow static addresses within that /64 as well. Connections are provisioned as individual router subinterfaces, so user-to-address mapping happens on subnet level and URPF prevents spoofing. This naturally works only as long as you have a single customer/connection per VLAN, not so much with group- VLANs (which are shared by several connections). With SLAAC you can dig the MAC address from the IPv6-address, if necessary (MAC-spoofing can be a problem, but that's the case with DHCP and IPv4-world as well. ND-attacks are an issue as well.)
The shortcomings with this approach include: - doesn't work with group-VLANs - the end-user has to configure DNS-servers manually
____________________________________ Tero Toikkanen Network Engineer Nebula Oy